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ACCESS CONTROL IN MOBILE NETWORKS 

TECHNICAL FIELD OF THE INVENTION 

5 The present invention generally relates to access control in communication networks, 
and in particular to access control in mobile networks. 

) 

BACKGROUND OF THE INVENTION 

10 Access control is generally applicable to network nodes in comraunjcation networks 
such as mobile networks, and more specifically NEMO-based (Network Mobility) 
mobile networks, HIP-bascd (Host Identity Protocol) mobile networks or mobile 
networks based on prefix scope binding update. 

15 For example, the Network Mobility (NEMO) Basic Protocol described in reference [1] 
enables mobile networks to attach to different points in the Internet The protocol is an 
extension of Mobile IPv6 and allows for session continuity for every node in the 
mobile network as the network moves. It also allows every node in the mobile network 
to be reachable while moving around. The Mobile Router, which connects the network 

20 to the Internet, runs the NEMO Basic Support protocol with its Home Agent. The 
protocol is designed in such a way that network mobility is transparent to the nodes 
inside the mobile network. 



Reference [2] describes a basic AAA (Authentication, Authorization, and Accounting) 
23 model for NEMO, as well as various usage scenarios. Regarding client access 
authentication for nodes in NEMO-based Mobile Networks, the draft proposes a AAA 
solution between Visiting Mobile Node and Mobile Router which essentially has the 
Mobile Router performing/behaving as a Network Access Server. The Visiting Mobile 
Node will first initiate an access request by sending relevant messages to the Mobile 
30 Router it attached to using a "link-local" AAA protocol. The Mobile Router contacts 
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an external AAA server (e.g., in the Visiting Mobile Node's home network) to perform 
the actual authentication and authorization by employing one of the ""global" AAA 
protocols. However, this means that a heavyweight protocol such as Radius or 
Diameter is going to be used over the air, which does not make up for good use of 
5 scarce radio resources. 

j» THE INVENTION 

It should be understood that although the invention will mainly be described with 
10 reference to access control of nodes in a NEMO-based Mobile Network, the inventive 
mechanisms, including filtering and control mechanisms, can be applied to mobile 
networks in general as well as in other comniunication contexts. For example, the 
invention is applicable in any mobile network architecture involving a mobile router 
located in the mobile network, and a counterpart node in the network side which 
15 anchors flic mobility aspects of the mobile network. Other examples than NEMO- 
based mobile networks include HIP-based (Host Identity Protocol) mobile networks 
and mobile networks based on prefix scope binding update. 



In the following, exemplary embodiments of the invention will be described, including 
20 preferred features as well as optional features. 

(1) Access control enforcement points (EP's) are located at both the Mobile Router 
and Mobile Router Home Agent. 



There is conceivable benefit with locating the EP's both at the Mobile Router 
and the Mobile Router Home Agent (MRHA) since unauthorized packets, both 
uplink and downlink, do not have to cross the air interface before being filtered 
away by the EP's. This prevents waste of precious radio resources. The BP 
located at the Mobile Router, called EP^MR for case of description, monitors 
the uplink packets before the NEMO bidirectional tunnel, while the EP located 



3 



at the Mobile Router Home Agent, called EP_MRHA for ease of descriptioja, 
monitors the downlink packets before the NEMO bi-directional tunnel 

Fig. I illustrates authentication and/or authorization of nodes in NEMObased 
5 Mobile Networks (PANA, PAA-EP, and EP-EP protocols traverse inside the 

NEMO bi-directional tunnel). 

Preferably, the filtering mechanism involves checking the IP/transport layer 
headers of IP packets that traverse the access control points, also referred to as 

10 enforcement points EP, to and from ttie node in the mobile network. As 

mentioned, an idea according to the invention is to locate an EP at the mobile 
roater to monitor/check/filter uplink packets, and another EP at the network 
side anchor node to monitor/filter/check downlink packets. For example, the 
filters are "activated" (or provisioned) in the EP after successful authentiction 

15 and authorization of the node in the mobile network. This process of activation 

involves provisioning of information, e.g. using SNMP. The provisioning may 
be carried out over the PAA-EP interface or possibly the EP-EP interface in the 
hierarchical structure model described below. 

20 For comparison, reference [2] assumes that the access control function 

(enforcement point) is located in the Network Access Server, which is the 
Mobile Router for this case, and does not prevent unauthorized downlink 
packets from crossing the air interface before being filtered away at the Mobile 
Router. 

25 

(2) Two exemplary concepts and structures involving EP^MRHA and EP_MR are 
given below: 



10 



15 



20 



25 



(i) 



A flat structure where both E^MRHA and EP^MR receive the same 
provisioning infonnation from the same access control list source. Fig. 2 
illustrates an exemplary flat stri cturc (no EP^EP interface). 



(ii) 



A hierarchical structure where 
information from the access 
EP_MRHA forwards to the 



he EP^MRHA receives the provisioning 
control list source and thereafter the 
EP^MR under its control only the 
information pertinent to the U])link direction, i.e, an EP-EP interface. 
There can be a 1-to-n relationship between EP^MRHA and EP MR. 
Fig. 3 illustrates an exemplay hierarchical structure (with EP-EP 
interface). 



The advantage of concept (i) is the simplicity of implementation. Concept (i) 
does not require any EP-EP interface. 

The advantage of concept (ii) is that extraneous provisioning infonnation such 
as those pertaining to downlink filtering need not be sent over the air interface 



towards the BP MR, and also, e.g., 



the EP_MR may not need to collect 



accounting information which can be collected at the EP^MRHA anyhow. This 
prevents waste of radio resources especially for cases where there is frequent 
movement of nodes in and out of the niobile network. 



The provisioning information norma 
information and among other things 
control list) and restrictions to be usejl 
markings that has to be carried out by f 



ly includes the resulting authorization 
may involve the filters (i.e. the access 
by the EP's, the accounting, and QoS 
heEP's, 



Fig. 4 illustrates an example of the provisioning signaling flow for concept (i) 
with a flat structure. 
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Fig. 5 illustrates an catample of the provisiomng signaling flow for concept (ii) 
with a hierarchical structure (with EP-EP interface). 

(3) For the case where the PANA (Protocol for carrying Authentication for 
5 Network Access) protocol [3] is used for access authentication and/or 

authorization of client nodes in NEMO-based Mobile Networks, the following 
configuration may be used: 

a, PAC(s) (PANA Client(s)) is (are) located at the node(s). 
10 b. PAA (PANA Authentication Agent) is located at tlie network where the 

MRHA resides, and is the access control list source that provisions the 
EP's as a result of client node access authentication 

Locating the PAA at the network where the MRHA resides prevents a 
IS heavyweight AAA protocol such as Radius or Diameter from being used over 

the air interface. 

Beyond the PAA towards and within the AAA infrastructure, suitable AAA 
canier protocols (e.g., Diameter, Radius) may be used to carry the 
20 authentication and authorization information to and from the home network of 

the node. 

(4) The PANA PAA-EP interface protocol [4] supports the additional requirement 
that it should be lightweight to accommodate possible air interface traversals. 

25 

Incidentally, reference [4] recoxnmends the use of SNMP for the PAA-EP 
interface, which satisfies the lightweight requirement. 

(5) The EP_MRHA-EP_MR (EP-EP) interface protocol for the hierarchical 
30 stmcture is defined to reuse the PANA PAA-EP interface protocol. 
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In effect, from the perspective of the EP_MR, the EP_MRHA is the access 
control list source, or PAA, that provisions the EP's as a result of client node 
access authentication. This simplifies the standardization/maintenance needed 
for the EP_MRJK[A-EP_MR interface protocol. 

5 

(6) For the case where SNMP is used for the PAA-EP interface, the SNMP MIBs 
are separated uito convenient modules for uplink filtering, downlink filtering, 
IPSec uplink policy, TPSec downlink policy, accounting, etc., so as to facilitate 
simple implementation at tlie EP_MRHA, i.e., only the necessary MIB modules 

10 for uplink filtering and IPSec uplink policy can simply be forwarded to the 

EP_MR. 

(7) The MRHA is selected/authorized as the local Home Agent for the node. This 
is for the case where the node is a Mobile IP mobile node, and a local Home 

15 Agent is allowed to be selected by the mobile node's home network operator 

and the network operator of the MRHA (e.g., via some inter-operator 
agreement). 

Selecting the MRHA as the mobile node's local Home Agent where possible 
20 provides the possibility for route optimization as packets bound for the mobile 

node will have to traverse only one Home Agent instead of two. 

The embodiments described above are merely given as examples, and it should be 
undeistood that the present invention is not limited thereto. Further modifications, 
25 changes and improvements which retain the basic underlying principles disclosed herein 
are within the scope of the invention. 
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ABBREVIATIONS 



AAA - Authentication Authorization and Accounting 
5 Enforcement Point 

EP^MR - Enforcement Point at Mobile Router 
EP^MRHA r- Enforcement Point at Mobile Router Home Agent 
MR -Mobile Router 
MRHA - Mobile Router Home Agent 
10 NEMO - Network Mobility 

PAA ~ PANA Authentication Agent 
PAC--PANA Client 

PANA - Protocol for carrying Authentication for Network Access 
SKMP - Simple Network Management Protocol 
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